This is the first part of enabling Esti to run on Dependabot PRs.
What
For PRs opened by Dependabot, require user approval to run Esti.
How
Hopefully similar to treeverse/patura#432.
Why
Dependabot PRs can contain essentially anything, including potentially
malicious updates. Running them could expose all secrets of our CI. Limit
the scope of damage that such a PR can do by requiring reviewer approval.
This allows us to:
Wait.
Supply-chain attacks on packages are detected within hours. If we don't
immediately run Esti, we avoid many attacks.
Review.
Does the PR make sense? Are lock files (go.sum, package-lock.json)
modified more than dependency files (go.mod, package.json)?
This is the first part of enabling Esti to run on Dependabot PRs.
What
For PRs opened by Dependabot, require user approval to run Esti.
How
Hopefully similar to treeverse/patura#432.
Why
Dependabot PRs can contain essentially anything, including potentially malicious updates. Running them could expose all secrets of our CI. Limit the scope of damage that such a PR can do by requiring reviewer approval. This allows us to:
Wait.
Supply-chain attacks on packages are detected within hours. If we don't immediately run Esti, we avoid many attacks.
Review.
Does the PR make sense? Are lock files (go.sum, package-lock.json) modified more than dependency files (go.mod, package.json)?